SELinux relabel API
by Richard W.M. Jones
[
I realized that we were discussing adding this feature, in various
private email, IRC, and this long bugzilla thread:
https://bugzilla.redhat.com/show_bug.cgi?id=1060423
That's not how we should do things. Let's discuss it on the
mailing list.
]
One thing that virt-customize/virt-sysprep/virt-builder have to do is
relabel SELinux guests.
What we do at the moment is run:
if load_policy && fixfiles restore; then
rm -f /.autorelabel
else
touch /.autorelabel
echo '%s: SELinux relabelling failed, will relabel at boot instead.'
fi
while chrooted into the guest (using the 'guestfs_sh' API).
This has a number of problems:
- It has to load the policy using 'load_policy', but this doesn't
work sometimes:
* RHEL 5 load_policy takes a parameter.
* Doesn't work if appliance kernel is significantly different from
guest kernel version, because the binary policy format changes
irregularly and is not backwards compatible.
* Requires the appliance [host] kernel to be compiled with
LSM/SELinux support.
- Touching /.autorelabel is often broken, eg. it's broken in Fedora 20
because of systemd (RHBZ#1049656).
- /etc/resolv.conf will not be relabelled if guestfs network is on,
because of resolv.conf shenanigans in libguestfs.git/daemon/command.c
- It requires running guest code, which we'd like to avoid.
What would be nice would be to have an API to just do this
relabelling. Libguestfs could change this API as required to handle
different guests.
Dan Walsh helpfully pointed out to us that we've been doing it wrong
all along :-) A much better way to relabel is to run:
setfiles /etc/selinux/targeted/contexts/files/file_contexts DIR
where 'file_contexts' is a file which contains the default labels for
files (a set of regexps), and 'DIR' is the directory at which
relabelling starts. Note that 'setfiles' would be the libguestfs
appliance binary, so no guest binary needs to be run.
A simple API could just look like this:
guestfs_selinux_relabel (g);
which would always use the 'targeted' policy from the guest, and
always start relabelling at the root. This would work fine for
virt-builder.
For Colin's requirements for Project Atomic, I suspect he will want to
be able to set the file_contexts file and the root directory, but I'll
leave him to describe what would be useful.
A couple of notes:
- I'd like to avoid baking in assumptions from the 'setfiles' command
as far as possible. libguestfs APIs last for many years and some
have caused us many years of regret (but that's our job) :-/
- Is it a good idea to tie this into inspection in some way -- for
example, inspection could provide us with the path to the current or
default SELinux policy.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
9 years
virt-resize: support to MBR logical partitions and some question
by Hu Tao
Hi,
I'm adding support to resizing logical partitions(patch is in progess).
But encounter an error when adding a logical partition in dest image:
virt-resize: libguestfs error: part_add: parted: /dev/sdb: Warning: The resulting partition is not properly aligned for best performance.
Error: Error informing the kernel about modifications to partition /dev/sdb5 -- Device or resource busy. This means Linux won't know about any changes you made to /dev/sdb5 until you reboot -- so you shouldn't mount it or use it in any way before rebooting.
Error: Failed to add partition 5 (Device or resource busy)
The error is actually no harm since the logical partition has been added
successfully, and I don't want to inform kernel at all. But it prevents
virt-resize from adding further logical partitions.
I can ignore the error when adding logical partitions manually using parted.
The question is, is there any way to ignore such errors in virt-resize?
Regards,
Hu Tao
10 years, 3 months
[PATCH 1/2] fish: edit: factor out download and reupload phases
by Pino Toscano
Share some code between edit_file_editor and edit_file_perl; mostly code
motion, with no actual behaviour change.
---
fish/file-edit.c | 143 +++++++++++++++++++++++--------------------------------
1 file changed, 60 insertions(+), 83 deletions(-)
diff --git a/fish/file-edit.c b/fish/file-edit.c
index ff36ac2..74cb89b 100644
--- a/fish/file-edit.c
+++ b/fish/file-edit.c
@@ -35,6 +35,9 @@
#include "guestfs-internal-frontend.h"
+static int do_download (guestfs_h *g, const char *filename, char **tempfile);
+static int do_upload (guestfs_h *g, const char *filename, const char *tempfile,
+ const char *backup_extension);
static char *generate_random_name (const char *filename);
static char *generate_backup_name (const char *filename,
const char *backup_extension);
@@ -43,38 +46,15 @@ int
edit_file_editor (guestfs_h *g, const char *filename, const char *editor,
const char *backup_extension, int verbose)
{
- CLEANUP_FREE char *tmpdir = guestfs_get_tmpdir (g);
CLEANUP_UNLINK_FREE char *tmpfilename = NULL;
- char buf[256];
- CLEANUP_FREE char *newname = NULL;
CLEANUP_FREE char *cmd = NULL;
struct stat oldstat, newstat;
- int r, fd;
+ int r;
struct utimbuf times;
/* Download the file and write it to a temporary. */
- if (asprintf (&tmpfilename, "%s/libguestfsXXXXXX", tmpdir) == -1) {
- perror ("asprintf");
- return -1;
- }
-
- fd = mkstemp (tmpfilename);
- if (fd == -1) {
- perror ("mkstemp");
- return -1;
- }
-
- snprintf (buf, sizeof buf, "/dev/fd/%d", fd);
-
- if (guestfs_download (g, filename, buf) == -1) {
- close (fd);
+ if (do_download (g, filename, &tmpfilename) == -1)
return -1;
- }
-
- if (close (fd) == -1) {
- perror (tmpfilename);
- return -1;
- }
/* Set the time back a few seconds on the original file. This is so
* that if the user is very fast at editing, or if EDITOR is an
@@ -125,38 +105,7 @@ edit_file_editor (guestfs_h *g, const char *filename, const char *editor,
oldstat.st_size == newstat.st_size)
return 1;
- /* Upload to a new file in the same directory, so if it fails we
- * don't end up with a partially written file. Give the new file
- * a completely random name so we have only a tiny chance of
- * overwriting some existing file.
- */
- newname = generate_random_name (filename);
- if (!newname)
- return -1;
-
- /* Write new content. */
- if (guestfs_upload (g, tmpfilename, newname) == -1)
- return -1;
-
- /* Set the permissions, UID, GID and SELinux context of the new
- * file to match the old file (RHBZ#788641).
- */
- if (guestfs_copy_attributes (g, filename, newname,
- GUESTFS_COPY_ATTRIBUTES_ALL, 1, -1) == -1)
- return -1;
-
- /* Backup or overwrite the file. */
- if (backup_extension) {
- CLEANUP_FREE char *backupname = NULL;
-
- backupname = generate_backup_name (filename, backup_extension);
- if (backupname == NULL)
- return -1;
-
- if (guestfs_mv (g, filename, backupname) == -1)
- return -1;
- }
- if (guestfs_mv (g, newname, filename) == -1)
+ if (do_upload (g, filename, tmpfilename, backup_extension) == -1)
return -1;
return 0;
@@ -166,37 +115,14 @@ int
edit_file_perl (guestfs_h *g, const char *filename, const char *perl_expr,
const char *backup_extension, int verbose)
{
- CLEANUP_FREE char *tmpdir = guestfs_get_tmpdir (g);
CLEANUP_UNLINK_FREE char *tmpfilename = NULL;
- char buf[256];
- CLEANUP_FREE char *newname = NULL;
CLEANUP_FREE char *cmd = NULL;
CLEANUP_FREE char *outfile = NULL;
- int r, fd;
+ int r;
/* Download the file and write it to a temporary. */
- if (asprintf (&tmpfilename, "%s/libguestfsXXXXXX", tmpdir) == -1) {
- perror ("asprintf");
+ if (do_download (g, filename, &tmpfilename) == -1)
return -1;
- }
-
- fd = mkstemp (tmpfilename);
- if (fd == -1) {
- perror ("mkstemp");
- return -1;
- }
-
- snprintf (buf, sizeof buf, "/dev/fd/%d", fd);
-
- if (guestfs_download (g, filename, buf) == -1) {
- close (fd);
- return -1;
- }
-
- if (close (fd) == -1) {
- perror (tmpfilename);
- return -1;
- }
if (asprintf (&outfile, "%s.out", tmpfilename) == -1) {
perror ("asprintf");
@@ -238,6 +164,57 @@ edit_file_perl (guestfs_h *g, const char *filename, const char *perl_expr,
return -1;
}
+ if (do_upload (g, filename, tmpfilename, backup_extension) == -1)
+ return -1;
+
+ return 0;
+}
+
+static int
+do_download (guestfs_h *g, const char *filename, char **tempfile)
+{
+ CLEANUP_FREE char *tmpdir = guestfs_get_tmpdir (g);
+ CLEANUP_UNLINK_FREE char *tmpfilename = NULL;
+ char buf[256];
+ int fd;
+
+ /* Download the file and write it to a temporary. */
+ if (asprintf (&tmpfilename, "%s/libguestfsXXXXXX", tmpdir) == -1) {
+ perror ("asprintf");
+ return -1;
+ }
+
+ fd = mkstemp (tmpfilename);
+ if (fd == -1) {
+ perror ("mkstemp");
+ return -1;
+ }
+
+ snprintf (buf, sizeof buf, "/dev/fd/%d", fd);
+
+ if (guestfs_download (g, filename, buf) == -1) {
+ close (fd);
+ return -1;
+ }
+
+ if (close (fd) == -1) {
+ perror (tmpfilename);
+ return -1;
+ }
+
+ /* Hand over the temporary file. */
+ *tempfile = tmpfilename;
+ tmpfilename = NULL;
+
+ return 0;
+}
+
+static int
+do_upload (guestfs_h *g, const char *filename, const char *tempfile,
+ const char *backup_extension)
+{
+ CLEANUP_FREE char *newname = NULL;
+
/* Upload to a new file in the same directory, so if it fails we
* don't end up with a partially written file. Give the new file
* a completely random name so we have only a tiny chance of
@@ -248,7 +225,7 @@ edit_file_perl (guestfs_h *g, const char *filename, const char *perl_expr,
return -1;
/* Write new content. */
- if (guestfs_upload (g, tmpfilename, newname) == -1)
+ if (guestfs_upload (g, tempfile, newname) == -1)
return -1;
/* Set the permissions, UID, GID and SELinux context of the new
--
1.9.3
10 years, 3 months
[PATCH] test-tool: improve the envvars printed
by Pino Toscano
Stop printing the FEBOOTSTRAP_* environment variables, since they are
not used anymore.
Furthermore, print the value of $SUPERMIN as well as SUPERMIN_*.
---
test-tool/test-tool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test-tool/test-tool.c b/test-tool/test-tool.c
index 7e8d88e..e59e33c 100644
--- a/test-tool/test-tool.c
+++ b/test-tool/test-tool.c
@@ -195,7 +195,7 @@ main (int argc, char *argv[])
for (i = 0; environ[i] != NULL; ++i) {
if (STRPREFIX (environ[i], "LIBGUESTFS_"))
printf ("%s\n", environ[i]);
- if (STRPREFIX (environ[i], "FEBOOTSTRAP_"))
+ if (STRPREFIX (environ[i], "SUPERMIN="))
printf ("%s\n", environ[i]);
if (STRPREFIX (environ[i], "SUPERMIN_"))
printf ("%s\n", environ[i]);
--
1.9.3
10 years, 3 months
[PATCH 00/13] code refactorings for tools
by Pino Toscano
Hi,
this series does a couple of code reorganizations/refactoring in code
used by tools: the windows path handling code, and the two types of
file editing (using editor, and using perl expression).
There's still a code duplication between the two variants of file
editing, but it is just within a single source, and can be easily
solved now (planning as next step).
Pino Toscano (13):
edit: move windows path code to common file
fish, edit: specifies whether mount Windows as readonly
fish, edit: move the exit-on-case-sensitive-error behaviour to
virt-edit
cat: use the common Windows path handling code
fish: isolate file editing (w/ editor) code in own file
fish: edit: improve the editor execution
fish: edit: bring backup extension to file editing w/ editor
fish: edit: return 1 for unchanged file
fish: edit: bring the fast-time-edit protection
fish: edit: add perl file editing
edit: switch to common editing functions
fish: edit: add verbose parameter
customize: use the common perl file editing code
builder/Makefile.am | 2 +
cat/Makefile.am | 4 +-
cat/cat.c | 112 +--------------
customize/Makefile.am | 5 +-
customize/perl_edit-c.c | 55 ++++++++
customize/perl_edit.ml | 62 +-------
edit/Makefile.am | 6 +-
edit/edit.c | 368 +++---------------------------------------------
fish/Makefile.am | 2 +
fish/edit.c | 125 +---------------
fish/file-edit.c | 325 ++++++++++++++++++++++++++++++++++++++++++
fish/file-edit.h | 47 +++++++
fish/windows.c | 135 ++++++++++++++++++
fish/windows.h | 45 ++++++
po/POTFILES | 3 +
sysprep/Makefile.am | 2 +
v2v/Makefile.am | 2 +
17 files changed, 663 insertions(+), 637 deletions(-)
create mode 100644 customize/perl_edit-c.c
create mode 100644 fish/file-edit.c
create mode 100644 fish/file-edit.h
create mode 100644 fish/windows.c
create mode 100644 fish/windows.h
--
1.9.3
10 years, 3 months
[PATCH 0/3] fix setting lvm filter with newer lvm2
by Pino Toscano
Hi,
newer lvm2 releases don't have have uncommented "filter" lines, so the
current way to edit lvm.conf doesn't work anymore.
Instead, switch to augeas (with a "custom" len) for a cleaner and
working way to set the lvm filter.
Pino Toscano (3):
daemon: add add_sprintf
daemon: move AUGEAS_ERROR to the common header
daemon: lvm-filter: use augeas for setting the filter
appliance/Makefile.am | 6 +-
appliance/guestfs_lvm_conf.aug | 74 +++++++++++++++++
daemon/augeas.c | 17 ----
daemon/daemon.h | 19 +++++
daemon/guestfsd.c | 20 +++++
daemon/lvm-filter.c | 183 +++++++++++++++++++++--------------------
6 files changed, 211 insertions(+), 108 deletions(-)
create mode 100644 appliance/guestfs_lvm_conf.aug
--
1.9.3
10 years, 3 months
Error: No Host Found
by Mark Husted (hustedm)
Hello Rich,
You helped me with a libguestfs issue last week. The good news is that I have progressed beyond that. Unfortunately, I have found another issue which I cannot seem to get past. It deals with OpenStack PackStack as described on the RDO setup site. It is hosted in an Oracle VirtualBox running CentOS 6.5. It appears to be running, I can use the Horizon interface. I have figured out how to get the HEAT Orchestration up and running.
I am not sure that libguestfs is the correct list. If not, could you please forward to the correct list?
I cannot create an instance, either through HEAT or Horizon. I am getting an Error: No Host Found. I have done some digging. At first, I thought I did not have any VCPUs. I was looking through Nova.conf and that line was commented out. So, I put it back in and restarted all of the Nova services. Then I determined that I was not using a big enough flavor. So, I changed that. Still, I get the error.
I have attached the appropriate (I hope) log files. I am unsure what I have done wrong at this point, especially since the Horizon interface is failing too.
Thank you for your time,
Mark Husted
[http://www.cisco.com/web/europe/images/email/signature/logo05.jpg]
Mark Husted
ENGINEER.SOFTWARE ENGINEERING
Service Provider Video Technology Group
hustedm(a)cisco.com<mailto:hustedm@cisco.com>
Phone: +1 770 236 1242
Bldg 2.1.238
5030 Sugarloaf Parkway
Lawrenceville, GA 30044
United States
Cisco.com<http://www.cisco.com>
[Think before you print.]Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
10 years, 3 months
latest libguestfs repo for CentOS 6.4
by Priyanka Ranjan
Hello Experts,
I am using CentOS 6.4. I have libguestfs 1.16 installed on my system
(CentOS 6.4). I want to use iscsi and for that I want to install libguestfs
> = 1.21. Is libguestfs 1.21 is available for CentOS 6.4?
Many Thanks in advance.
10 years, 3 months
When updating to HEAD today ...
by Richard W.M. Jones
... you may get a link failure until you run the following command:
make -C v2v link.sh
Rich.
PS: Can someone explain why:
$ pkg-config --libs libvirt
-lvirt -ldl -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
?
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
10 years, 3 months
[PATCH 1/3] v2v: add xmlXPathRegisterNs for libxml2 binding
by Shahar Havivi
Signed-off-by: Shahar Havivi <shaharh(a)redhat.com>
---
v2v/xml-c.c | 15 +++++++++++++++
v2v/xml.ml | 1 +
v2v/xml.mli | 2 ++
3 files changed, 18 insertions(+)
diff --git a/v2v/xml-c.c b/v2v/xml-c.c
index 4c9bc77..aea62ae 100644
--- a/v2v/xml-c.c
+++ b/v2v/xml-c.c
@@ -141,6 +141,21 @@ v2v_xml_xpath_new_context (value docv)
}
value
+v2v_xml_xpath_register_ns (value xpathctxv, value prefix, value uri)
+{
+ CAMLparam3 (xpathctxv, prefix, uri);
+ xmlXPathContextPtr xpathctx;
+ int r;
+
+ xpathctx = Xpathctx_val (xpathctxv);
+ r = xmlXPathRegisterNs (xpathctx, BAD_CAST String_val (prefix), BAD_CAST String_val (uri));
+ if (r == -1)
+ caml_invalid_argument ("xpath_register_ns: unable to register namespace");
+
+ CAMLreturn (Val_unit);
+}
+
+value
v2v_xml_xpath_eval_expression (value xpathctxv, value exprv)
{
CAMLparam2 (xpathctxv, exprv);
diff --git a/v2v/xml.ml b/v2v/xml.ml
index 78cb022..fea8784 100644
--- a/v2v/xml.ml
+++ b/v2v/xml.ml
@@ -31,6 +31,7 @@ type node = doc * node_ptr
external parse_memory : string -> doc = "v2v_xml_parse_memory"
external xpath_new_context : doc -> xpathctx = "v2v_xml_xpath_new_context"
external xpath_eval_expression : xpathctx -> string -> xpathobj = "v2v_xml_xpath_eval_expression"
+external xpath_register_ns : xpathctx -> string -> string -> unit = "v2v_xml_xpath_register_ns"
external xpathobj_nr_nodes : xpathobj -> int = "v2v_xml_xpathobj_nr_nodes"
external xpathobj_get_node_ptr : xpathobj -> int -> node_ptr = "v2v_xml_xpathobj_get_node_ptr"
diff --git a/v2v/xml.mli b/v2v/xml.mli
index 38bb9cd..8eefecc 100644
--- a/v2v/xml.mli
+++ b/v2v/xml.mli
@@ -29,6 +29,8 @@ val xpath_new_context : doc -> xpathctx
(** xmlXPathNewContext *)
val xpath_eval_expression : xpathctx -> string -> xpathobj
(** xmlXPathEvalExpression *)
+val xpath_register_ns : xpathctx -> string -> string -> unit
+(** xmlXPathRegisterNs *)
val xpathobj_nr_nodes : xpathobj -> int
(** Get the number of nodes in the node set of the xmlXPathObjectPtr. *)
--
1.9.3
10 years, 4 months